User Authentication and Authorization of Micro Services

AOP Implements Logon Status Check

stay Chat about user authentication and authorization for micro services (Part 1) In this paper, several common authentication and authorization schemes under microservices are briefly introduced, and a minimalist demo is written using JWT to simulate Token issuance and verification.The purpose of this article is to continue with the above points, such as how Token can transfer between multiple microservices and how to use AOP to achieve unified verification of login status and rights.

In order to make the login checking logic universal, we usually choose to use filters, interceptors, AOP and other means to achieve this function.This section focuses on the use of AOP for login status checking, because AOP can also block protected resource access requests and do some necessary checks before accessing resources.

Finally, let's do a simple test to see if a faceted method is executed to check login status when accessing protected resources.Start the project first to get token:

Bring token in the header when accessing protected resources:

Access succeeded, at which point the console output is as follows:

Tips:

Instead of using filters or interceptors for login verification, AOP is used because the code written using AOP is cleaner and pluggable using custom annotations, such as accessing a resource without having to do login checking, so you only need the @CheckLogin annotationRemove the solution.On the other hand, AOP is an important basic knowledge, which is often asked in interviews. Through this practical application example, we can have a certain understanding of the skills of using AOP.

Of course, you can also choose a filter or interceptor to achieve this. No matter which way is the best, after all, these three ways have their own characteristics and advantages and disadvantages, which need to be selected according to the specific business scenario.

Feign implements Token delivery

In a microservice architecture, Feign is often used to invoke the interface provided by other microservices. If the interface needs to check the login state, the Token carried by the current client request must be passed.By default, Feign does not carry any additional information when requesting interfaces from other services, so we have to consider how tokens are passed between microservices.

There are two main ways for Feign to deliver Token, the first using the @RequestHeader annotation of Spring MVC.Examples include the following:

As you can see from the example above, the advantages of using the @RequestHeader annotation are simplicity and intuition, while the disadvantages are obvious.This is possible when only one or two interfaces need to pass a Token, but if there are many remote interfaces that need to pass a Token, adding this annotation to each method will obviously add a lot of duplicate work.

Therefore, the second way to pass Token is more general, which implements Token delivery by implementing a Feign request interceptor, then obtaining the Token carried by the current client request in the interceptor and adding it to Feign's request header.Examples include the following:

The other is to implement the ClientHttpRequestInterceptor interface, which is RestTemplate's interceptor interface, similar to Feign's interceptor, used to implement common logic.The code is as follows:

AOP Implements User Rights Verification

In the first section, we describe how to use AOP for login state checking. In addition, some protected resources may require users to have specific permissions to access them, so we have to check the permissions before the resources can be accessed.Permission checking can also be implemented using filters, interceptors, or AOPs, as in the previous section using AOP as an example.

It's not too complex to do checking logic here, just to determine if the user is a role or not.So first define a comment that has a value that identifies which role a protected resource requires the user to be in to allow access.The code is as follows: